Skip to content

Latest commit

 

History

History
63 lines (40 loc) · 1.89 KB

lab-09-1.md

File metadata and controls

63 lines (40 loc) · 1.89 KB

This post is part of the series of Practical Malware Analysis Exercises.

1) How can you get the malware to install itself?

Patch the password or decode the correct one.

  1. Pass -in <password> for installation.
  2. The file will be copied to System32, cloning kernel32's timestamp.
  3. A service will be created pointing to the new exe.
  4. A registry key will be created, presumably with configuration info.
  5. Service will start on next reboot.

2) What are the command line options? What is the password requirement?

  • -in <1>: Create service, create registry key, copy file, modify timestamp.
  • -re <1>: Uninstall service, delete file.
  • -c  <4>: Update configuration. Create registry key if not there.
  • -cc <0>: Print configuration:k:<aa> h:<bb> p:<cc> per:<dd>
    • k=ups
    • h=host:http://www.practicalmalwareanalysis.com
    • p=port:80
    • per=60

3) How can you patch this program in Olly to remove password requirement.

Change conditional jump to an unconditional jump at 00402B61.

4) Host based indicators?

  1. Registry key:HKLM\SOFTWARE\Microsoft \XPS
  2. File: exe in system32 with kernel32 timestamp, and a service named after it.

5) What actions can this malware be instructed to take over the network?

  1. SLEEP: sleep X seconds.
  2. UPLOAD: upload file to host.
  3. DOWNLOAD: download file from host.
  4. CMD: run command on the host.
  5. NOTHING

Since it can run commands, it can update and remove remotely.

When the service starts:

  1. DNS query: www.practicalmalwareanalysis.com
  2. Connect over port 80.
  3. GET requests: different strings each time, same format
  • HjD2/eMH7.stT
  • SCAL/fD8H.bSS
  • 8A0y/RwoX.laU

When sending a request, it calls time functions. May be used for mangling.

6) Network based signatures?

  1. URL: http://www.practicalmalwareanalysis.com